OpenID homesite authorization spoofed

Eddy Nigg (StartCom Ltd.) eddy_nigg at startcom.org
Mon Oct 23 01:53:33 UTC 2006 

Hi David and everybody else!

Recordon, David wrote:
> Alaric,
> Mind sharing the attack...at least privately?
>   
Sorry for that....I wasn't sure, if my theory holds the water, so I
wanted to test it...
> If this involved DNS spoofing, then it certainly is known that OpenID
> can be exploited in such fashion, just as every other site out on the
> Internet today not using DNSSEC can be.
>   
No David, I didn't use any DNS poisoning, but much simpler than that....
> I'm not sure exactly what you and Eddy are trying to prove.  
That with SSL secured homesites as a requirement, this would have been
harder. Obviously self-signed certificates wouldn't do the protection!
Since Dick already seems to agree to the extend, that if others agree
too, than at least the IDP's (homesites) shall be SSL secured as a
requirement, not recommendation....I think, that we've perhaps gained
something here....
> I fully
> understand that using OpenID with no SSL and no DNSSEC is technically
> insecure, and no one has ever made the claim that OpenID has "military
> grade" security as it stands today.  Did you prove something else that
> I'm just missing?
>   
Well, SSL could give the first line of protection and yes, I'd like to
prove, how easy it would be to gain access to dick.myopenid.com or
whatever (I didn't do that, but used Alarics ID (startssl) instead).
Then perhaps everybody on this list is going to agree on this requirement.

I'm going to forward a few screen shots and more explanations to you
(Please mail me privately) if you are interested in it.
> Regards,
> --David
>   

-- 
Regards
 
Signer:      Eddy Nigg, StartCom Ltd.
Phone:       +1.213.341.0390
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20061023/62829225/attachment-0002.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: eddy_nigg.vcf
Type: text/x-vcard
Size: 636 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20061023/62829225/attachment-0002.vcf>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7282 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20061023/62829225/attachment-0002.bin>

More information about the general mailing list